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. CLAIMS: 

1 . ". A method for data lookup for firewalling and network address translating, 
comprising: 

instantiating a first data structure and a second data structure; 
populating the first data structure with state information for a packet; 
populating the second data structure with packet information for the packet; 

and * 

cross-linking the first data structure and the second data structure, the 
cross-linking including, 

generating an index for the packet information; and 

storing in the first data structure the index in association with the 

i - . , - . _ ■ ■ 

state information.. 

2. The method, according to claim 1, wherein the first data structure is a 
connection table. 

3. The method, according to claim 1 , wherein the second data structure is a 

• '■ . - 

network address translation table. 

* ■ . _ * 

4. The method, according to claim 1, wherein the state information includes 
Transport Control Protocol state. 

5. The method, according to claim 1 , wherein the packet information 
comprises a five-tuple of information. 

6. The method, according to claim 1 , wherein the generating comprises 
hashing at least a portion of the packet information to generate the index for the 
packet information. 

• * 

* i- ■ * * .■ 
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7. A method for creating data structures for physical layer addressing, 
comprising: .." 

* - 

instantiating a first, a second and a third data structure; , 
populating the first data structure with state information; 

■ - i * ► 

populating the second data structure with network address translation 
* information; 

populating the third data structure with interface information; and 
cross-linking the first data structure and the second data structure to the 

» . * . * ■ ■ 

third data structure, the cross-linking including: 

generating an index for the interface information; and 
\ storing the index in the first data structure in association with the 
state information and in the second data structure in association with the network 

i ' ' - 

address translation information. 

* 1 i i - • .i ■ ■ 

8. The method, according to claim 7, further comprising: 
instantiating a fourth data structure; 

populating the fourth data structure with routing information; and 
cross-linking the fourth data structure to the third data structure, the cross- 
linking including: 

storing the index in the fourth data structure in association with the 

routing information. 

.. » ■ 

9. The method, according to claim 8, wherein the third data structure is an 
address resolution table. 

10. The method, according to claim 9, wherein the first data structure is a 
connection table. 
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1 1 . The method, according to claim 10, wherein the populating of the first data ; 
structure comprises adding connection information to the first data structure. 

r 

- " ' ' ■ - • " * . 

12. The method, according to claim 10, wherein the connection information 
comprises a packet five-tuple of information. . 

* 

13. The method, according to claim 10, wherein the second data structure is a 
network address translation table. 

■* 

. *** 
■ - " „ . - _ » 

14. The method, according to claim 13, wherein the fourth data structure is a 
routing table. 

15. The method, according to claim 14, wherein the generating comprises 
hashing at least a portion of the interface information. 

• ». - - . . * , 

16. The method, according to claim 15, wherein the interface information 
comprises a media access control address. 

17. The method, according to claim 16, wherein the interface information 

comprises a virtual local area network identifier. 

■ '■ ■ 

18. The method, according to claim 17, wherein the interface information 
comprises an interface mask. 

19. A method for security protocol support, comprising: 

creating a table, the table including a first, a second and a third assigned 
data space; 

populating the first assigned data space to indicate that a security protocol 
is being used; 
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• • •••*§. 

* " T - L. ■ 

populating the second assigned data space with a first portion of a security 
protocol string; and 

populating the third assigned data space with a second portion of the 
security protocol string. 

r - » ■ " ■ '.- ■_ 

t - 

1 1 

r . 

20. The method, according to claim 19, wherein the table is a connection table. 

* ■ * 

* * 
■ * - 

21. The method, according to claim 20, wherein the connection table comprises 
a fourth data space for transport control protocol state information, the method 
further comprising populating the fourth data space with a transport control 
protocol state. 

■ ' ... 

22. The method, according to claim 20, wherein the second assigned data 
space is a remote port data space, and wherein the third assigned data space is a 
local port data space. 

■• i i 

23. The method, according to claim 19, wherein the table is a network address 
translation table. 

* * ■ ... . . < , 

- . ■ » 

■ ' * * • ■ 

24. The method, according to claim 23, wherein the second assigned data 
space is a remote port data space, and wherein the third assigned data space is a 
public port data space. : 

25. A method for creating at least one data structure, comprising: 
determining if a firewall is activated; 

determining if network address translator is activated; and 
creating the at least one data structure responsive to one of: 

the firewall and the network address translator being activated; 

the firewall being activated and the network address translator not 

' '59 ' 
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being activated; and 

the firewall not being activated and the network address translator 
being activated. - ■ 

• ' ... » ■ • i 

■% ■ * - . r .. ' 

26. A method for creating data structures, comprising: 
determining if a firewall is activated; 
determining if network address translator is activated; and 
creating a connection table responsive to whether the firewall is activated; 

and . 

creating the connection table and a network address translation table 
responsive to whether the network address translator is activated. 

» ■ . » ■ 

27. The method, according to claim 26, further comprising: 
creating an address resolution table; and 
creating a routing table. 

28. A data structure for routing packets, comprising: 
an Internet Protocol destination address data space for storing Internet 

Protocol destination addresses; 

an Internet Protocol source address data space for storing Internet Protocol 
source address; and 

an address resolution table index data space for storing indices to an 
address resolution table; 

« 

wherein the address resolution table includes a media access control 
address data space for storing media access control addresses. 

29. The data structure, according to claim 28, wherein the data structure may 
be used exclusively in combination with the address resolution table for the, 
routing of packets when both firewalling and network address translating are not 
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present. 

30. A data structure for routing packets, consisting of: 
an Internet Protocol destination address data space for storing Internet 

Protocol destination addresses; 

an Internet Protocol source address data space for storing Internet Protocol 

- ■ . . 

source address; and 

an address resolution table index data space for storing indices to an 
address resolution table. 

■ ■ 

* ■ * • ( .. . 

31. A method of forming hashing table chains, comprising: 

• • , * - * - .... 

obtaining a first connection hash value, the first connection hash value 
pointing to a first slot in the hashing table; 

obtaining a second connection hash value, the second connection hash 
value pointing to the first slot in the hashing table; 

assigning the second connection hash value to a second slot in the hashing 

table; 

.-*■■. ■ • . . ■ • ■ 

pointing the first slot toward the second slot; 

obtaining a third connection hash value, the third connection hash value 
pointing to the second slot in the hashing table; 

moving contents of the second slot to a third slot in the hashing table; and 
assigning the third connection hash value to the second slot in the hashing 

table. 

32. The method, according to claim 31 , wherein the first connection hash value, 
the second connection hash value and the third connection hash value are 
respective hashes of packet information. 

* * * 

33. The method, according to claim 32, wherein the packet information is a 
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-» , 

packet five-tuple. 

34. A method for tracking packet states, comprising: 

initiating tracking of state from a CLOSED state; 

... ■■ • • - . ,. • 

from the CLOSED state, tracking transition to a LISTEN state or a SYN- 
SENT state; 

* - - . 

from the LISTEN state, tracking transition to one of the CLOSED state, a 
SYN-RCVD state or the SYN-SENT state; 

■ 

from the SYN-RCVD state, tracking transition to either a first hardware 
state or a SYN-RCVD-SYN-SENT state; 

from the SYN-SENT state, tracking transition to either a second hardware 
state or the SYN-RCVD-SYN-SENT state; 

from the SYN-RCVD-SYN-SENT state, tracking transition to either a first 
SYN-RCVD-SYN-SENT-ACK state or a second SYN-RCVD-SYN-SENT-ACK 
state; and 

from either the first SYN-RCVD-SYN-SENT-ACK state or the second SYN- 
RCVD-SYN-SENT-ACK state, tracking transition to a third hardware state. 

35. The method, according to claim 34, wherein the transition from the LISTEN 
state to either the SYN-RCVD state or the SYN-SENT state is respectively 

l - 

responsive to detecting either a received SYN or a sent SYN for a packet. 

4 

36. The method, according to claim 34, wherein the transition from the SYN- 
RCVD state to either the first hardware state or the SYN-RCVD-SYN-SENT state 
is respectively responsive to detecting either a sent SYN-ACK or a sent SYN for a 
packet. 

37. The method, according to claim 34, wherein the transition from the SYN- 
SENT state to either the second hardware state or the SYN-RCVD-SYN-SENT 
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state is respectively responsive to detecting either a received SYN-ACK or a 

- . . ■ ■ ■ . 

received SYN for a packet. 

38. The method, according to claim 34, wherein the transition from the SYN- 
RCVD-SYN-SENT state to either the first SYN-RCVD-SYN-SENT-ACK state or 
the second SYN-RCVD-SYN-SENT-ACK state is respectively responsive to 

* ■ 

detecting either a sent SYN-ACK or a received SYN-ACK for a: packet. 

■ ■ ~ ■ i. ■ , 

39. The method, according to claim 34, wherein the transition from either the 
first SYN-RCVD-SYN-SENT-ACK state or the second SYN-RCVD-SYN-SENT- 

- . - ^ ■ 

i ■ i, - 

ACK state to the third hardware state is respectively responsive to detecting either 
a received SYN-ACK or a sent SYN-ACK for a packet. 

1 ' - ' . - . - 

40. The method, according to claim 34, wherein the first hardware state is a 
SYN-RCVD-SYN-ACK-SENT state, the second hardware state is SYN-SENT- .. 

SYN-ACK-RCVD state, and the third hardware state is a connection-established 

■ ■- . ( _ 

state. ■ 

r * * * • , ■ 

i r - - . _ 

41 . The method, according to claim 34, wherein the transition from the LISTEN 
state to the CLOSED state is responsive to an age out condition for a packet. 

42. The method, according to claim 34, wherein the transition from the LISTEN 
state to the CLOSED state is responsive to a close condition for a packet. 

43. The method, according to claim 34, wherein the transition from the 
CLOSED state to the SYN-SENT state is responsive to a sent SYN for a packet, 

v 

44. The method, according to claim 34, wherein the LISTEN state, the SYN- 

t" 

RCVD state, the SYN-SENT state, the SYN-RCVD-SYN-SENT state, the first 
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SYN-RCVD-SYN-SENT-ACK state and the second SYN-RCVD-SYN-SENT-ACK 
state are software states. 

i ' ■ 

■ - > > * ■ » 

45. An apparatus for tracking packet states, comprising: 

means for initiating tracking of state from a first CLOSED state; . 
means for tracking software states for packets to one of a first, a second 
and a third hardware state, the first hardware state being a SYN-RCVD-SYN- 
ACK-SENT state, the second hardware state being SYN-SENT-SYN-ACK-RCVD 
state, and the third hardware state being a connection-established state; and 
means for tracking hardware states for the packets including: 

means for tracking transition to the connection-established state 
from the SYN-RCVD-SYN-ACK-SENT state; 

means for tracking transition to the connection-established state 
from the SYN-SENT-SYN-ACK-RCVD state; 

means for tracking transition to a first FIN-WAIT state from the SYN- 
RCVD-SYN-ACK-SENT state, the SYN-SENT-SYN-ACK-RCVD state or 
'the connection-established state; and 

means for tracking transition to a CLOSE-WAIT-FIN state from the 
SYN-RCVD-SYN-ACK-SENT state, the SYN-SENT-SYN-ACK-RCVD state 
or the connection-established state. 

46. The apparatus, according to claim 45, further comprising: 

means for tracking transition to a second FIN-WAIT state, a FIN-WAIT-FIN 
state or a CLOSING-FIN state from the first FIN-WAIT state; and 

means for tracking transition to the CLOSING-FIN state, a LAST-ACK state 
or a CLOSE-WAIT state from the CLOSE-WAIT-FIN state. 

* . 

* - 

47. The apparatus, according to claim 46, further comprising: 

means for tracking transition to the FIN-WAIT-FIN state from the second 
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. ' * i " ' - 

FIN-WAIT state; 

means for tracking transition to the FIN-WAIT-FIN state or a CLOSING 
state from the CLOSING-FIN state; and 

means for tracking transition to the LAST-AC K state from the CLOSE-WAIT 

state. 

48. The apparatus, according to claim 47, further comprising: 

means for tracking transition to a TIME-WAIT state from the FIN-WAIT-FIN 

state; 

-' ■ ■ . ■ ■ ■ • . . . ■ . 

means for tracking transition to the TIME-WAIT state from the CLOSING 

state; and 

means for tracking transition to a second CLOSED state from the LAST- 
ACK state or the TIME-WAIT state. 

' ' f ■ '. * - " ■ ■ ■ 

49. The apparatus, according to claim 45, wherein the transition to the first FIN- 
WAIT state from the SYN-RCVD-SYN-ACK-SENT state, the SYN-SENT-SYN- . 

ACK-RCVD state or the connection-established state is responsive to a sent FIN. 

..... '• ■ ■ . ■ ' 

50. The apparatus, according to clgim 45, wherein the transition to the 
connection-established state from the SYN-RCVD-SYN-ACK-SENT state is 
responsive to a received ACK of a SYN. 

51. The apparatus, according to claim 45, wherein the transition to the 
connection-established state from the SYN-SENT-SYN-ACK-RCVD state is 
responsive to a sent ACK of a SYN. 

52. The apparatus, according to claim 46, wherein the transition to the second 
FIN-WAIT state from the first FIN-WAIT state is responsive to a received AGK of a 
FIN. 
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53. The apparatus, according to claim 46, wherein the transition to the FIN- 
WAIT-FIN state from the first FIN-WAIT state is responsive to a received FIN and 

* - ■ ■ - - 

a received ACK of the received FIN in a packet. 

.' i 

54. The apparatus, according to claim 46, wherein the transition to the 
CLOSING-FIN state from the first FIN-WAIT state is responsive to a received FIN. 

55. The apparatus, according to claim 46, wherein the transition to the 
CLOSING-FIN state from the CLOSE-WAIT-FIN state is responsive to a sent FIN- 

L .l" '. * I w ' 

» * - ' ■ I 

56. The apparatus, according to claim 46, wherein the transition to the LAST- 
ACK state from the CLOSING-WAITrFIN state is responsive to a sent FIN and a 
sent ACK of the sent FIN in a packet. 

57. The apparatus, according to claim 46, wherein the transition to the CLOSE 
WAIT state from the CLOSE-WAIT-FIN state is responsive to a sent ACK of a FIN 

58. The apparatus, according to claim 47, wherein the transition to the FIN- 
WAIT-FIN state from the second FIN-WAIT state is responsive to a received FIN. 

59. The apparatus, according to claim 47, wherein the transition to the FIN- 
WAIT-FIN state from the CLOSING-FIN state is responsive to a received ACK of 
FIN. 

60. The apparatus, according to claim 47, wherein the transition to the 
CLOSING state from the CLOSING-FIN state is responsive to a sent ACK of a 
FIN. 
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61 . The apparatus, according to claim 47, wherein the transition to the LAST- 
ACK state from the CLOSE-WAIT state is responsive to a sent FIN. 

* 

62. The apparatus, according to claim 48, wherein the transition to a TIME- 
WAIT state from the FIN-WAIT-FIN state is responsive to a sent ACK of a FIN. 

63. The apparatus, according to claim 48, wherein the transition to the TIME- 
WAIT state from the CLOSING state is responsive to a received ACK of a FIN. 

r ^ * i 

64. The apparatus, according to claim 48, wherein the transition to a second 
CLOSED state from the LAST-ACK state is responsive to a received ACK of a 
FIN. ; '/ 

65. The apparatus, according to claim 48, wherein the transition to a second 
CLOSED state from the TIME-WAIT state is responsive to a timed out condition. 

" ■ * ' 

66. A method for network protocol processing, comprising:. 

obtaining a packet for network address translation/the packet having a 
media access control header; 

obtaining information, including the media access control header, from the 

* ■ - 

packet; 

parsing out the information into one or more data structures; 
determining if a network processing unit is in a pass-through mode 
responsive to the media access control header; and 

T 

responsive to the network processing unit not being in the pass-through 

mode, 

determining whether multicast or broadcast is active; and 
determining whether a protocol type for the packet is supported by 
the network processing unit. 



NVDA P000605 US PATENT 

- - • t ■ i *■ 

•r * * « 

67. The method, according to claim 66, wherein the pass-through mode is a 
frame conversion only mode. 

68. The method, according to claim 66, further comprising: 
responsive to the network processing unit being in the pass-through mode, 

converting header format of the packet to provide a composed 
packet; and 

transmitting the composed packet. 

■ t * ■ 

69. The method, according to claim 68, wherein the composed packet is 
transmitted to a firewall module of the network processing unit. 

k - . , < . _ 

70. The method, according to claim 69, wherein the composed packet is 

transmitted to an address translator portion of the network processing . unit. 

* , ■ - '• • 

71. The method, according to claim 69, wherein the composed packet is 
transmitted to a sequence processor portion of the network processing unit: 

72. the method, according to claim 66, further comprising determining whether 
a data link layer is valid. 

73. The method, according to claim 66, wherein the determining whether 
multicast or broadcast is active further comprises determining whether a frame is 
for broadcast or multicast. 

74. The method, according to claim 66, wherein the determining whether the 
protocol type for the packet is supported by the network processing unit comprises 
determining whether the protocol type of the packet is supported on an incoming 
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75. An apparatus for network protocol processing, comprising: 

means for obtaining a packet for network address translation, the packet 
having a media access control header; 

means for obtaining information, including the media access control 
header, from the packet; 

means for parsing out the information into one or more data structures; 

means for determining if a network processing unit is not in a pass-through 
mode responsive to the media access control header; 

means for determining whether multicast reception is active; 

means for determining whether a data link layer is valid; and 

means for determining whether a protocol type for the packet is supported 
by the network processing unit. 

t ■ > - , ' - • 

76. A signal-bearing medium containing a program which, when executed by a 
processor, causes execution of a method for network protocol processing 
comprising: 

obtaining a packet for network address translation, the packet having a ' 
media access control header; 

obtaining information, including the media access control header, from the 

packet; 

parsing out the information into one or more data structures; 

determining if a network processing unit is not in a pass-through mode 
responsive to the media access control header; 

determining whether multicast reception is active; 

determining whether a data link layer is valid; and 

determining whether a protocol type for the packet is supported by the 
network processing unit. 

4 
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